Executive SummaryThe HTTPS Bicycle attack can result in the length of personal and secret data being exposed from a packet capture of a user's HTTPS traffic. For example, the length of passwords and other data (such as GPS co-ordinates) can be determined simply by analysing the lengths of the encrypted traffic.
Some of the key observations of this attack are as below:
- Requires a packet capture containing HTTPS (TLS) traffic from a browser to a website
- The TLS traffic must use a stream-based cipher
- Can reveal the lengths of unknown data as long as the length of the rest of the data is known - this includes passwords, GPS data and IP addresses
- Packet captures from several years ago could be vulnerable to this attack, with no mitigation possible
- The real world impact is unknown, as there are several prerequisites that may be hard to fulfill.
You can keep up to date with the discussion of HTTPS Bicycle on Reddit at https://www.reddit.com/r/netsec/comments/3zc5qu/https_bicycle_attack/